Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to configure OpenSSH". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's ideas to study and learn "how to configure OpenSSH".

1. Close and uninstall the Openssh that comes with RedHat9.0

1.1 stop service

The code is as follows:

# service sshd stop

1.2 Uninstall Openssh

The code is as follows:

# rpm-e openssh-- nodeps

# rpm-e openssh-server-- nodeps

# rpm-e openssh-clients-- nodeps

# rpm-e openssh-askpass-gnome

# rpm-e openssh-askpass

Download and install the latest openssl and openssh

2.1 download the relevant software package to the / usr/local/src directory

Http://www.openssl.org/source/openssl-0.9.8e.tar.gz

2.2 install openssl

The code is as follows:

# cd / usr/local/src

# tar zxvf openssl-0.9.8e.tar.gz

# cd openssl-0.9.8e

#. / config shared zlib

# make

# make test

# make install

Mv / usr/bin/openssl / usr/bin/openssl.OFF

Mv / usr/include/openssl / usr/include/openssl.OFF

Ln-s / usr/local/ssl/bin/openssl / usr/bin/openssl

Ln-s / usr/local/ssl/include/openssl / usr/include/openssl

2.3 configure library file search path

The code is as follows:

# echo "/ usr/local/ssl/lib" > > / etc/ld.so.conf

# ldconfig-v

2.4 check the version number of openssl to verify that it is installed correctly

The code is as follows:

# openssl version-a

OpenSSL 0.9.8e 11 Apr 2007

Built on: Sat Mar 24 21:24:41 CST 2007

Platform: linux-elf

Options: bn (64. 32) md2 (int) rc4 (idx,int) des (ptr,risc1,16,long) idea (int) blowfish (idx)

Compiler: gcc-fPIC-DOPENSSL_PIC-DZLIB-DOPENSSL_THREADS-D_REENTRANT-DDSO_DLFCN-DHAVE_DLFCN_H-DL_ENDIAN-DTERMIO-O3-fomit-frame-pointer-Wall-DOPENSSL_BN_ASM_PART_WORDS-DOPENSSL_IA32_SSE2-DSHA1_ASM-DMD5_ASM-DRMD160_ASM-DAES_ASM

OPENSSLDIR: "/ usr/local/ssl"

Download and install the latest openssh

3.1 download the relevant software package to the / usr/local/src directory

Ftp://openbsd.nsysu.edu.tw/BSD/OpenBSD/OpenSSH/portable/openssh-4.6p1.tar.gz

3.2 installation

The code is as follows:

# cd / usr/local/src

# tar zxvf openssh-4.6p1.tar.gz

# cd openssh-4.6p1

#. / configure-prefix=/usr-sysconfdir=/etc/ssh-with-pam-with-zlib-with-ssl-dir=/usr/local/ssl-with-md5-passwords-mandir=/usr/share/man

# make

# make install

Check the openssh version number and verify the installation result

The code is as follows:

# ssh-v

OpenSSH_4.6p1, OpenSSL 0.9.8e 11 Apr 2007

Usage: ssh [- 1246AaCfgkMNnqsTtVvXxY] [- b bind_address] [- c cipher_spec]

[- D [bind_address:] port] [- e escape_char] [- F configfile]

[- I identity_file] [- L [bind_address:] port:host:hostport]

[- l login_name] [- m mac_spec] [- O ctl_cmd] [- o option] [- p port]

[- R [bind_address:] port:host:hostport] [- S ctl_path]

[- w local_tun [: remote_tun]] [user@] hostname [command]

Start and verify the opening status of the service

Debug startup, if the following display is normal, you can start sshd normally.

The code is as follows:

# / usr/sbin/sshd-d

Debug1: sshd version OpenSSH_4.6p1

Debug1: private host key: # 0 type 0 RSA1

Debug1: read PEM private key done: type RSA

Debug1: private host key: # 1 type 1 RSA

Debug1: read PEM private key done: type DSA

Debug1: private host key: # 2 type 2 DSA

Debug1: rexec_argv [0] ='/ usr/sbin/sshd'

Debug1: rexec_argv [1] ='- d'

Socket: Address family not supported by protocol

Debug1: Bind to port 22 on 0.0.0.0.

Server listening on 0.0.0.0 port 22.

Generating 768 bit RSA key.

RSA key generation complete.

4.2 start the service

The code is as follows:

# / usr/sbin/sshd

4.3 check if there are 22 in the listening port

The code is as follows:

# netstat-tnlp | grep: 22

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

4.4 attempt to log in locally via ssh

The code is as follows:

# ssh root@localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established.

RSA key fingerprint is 03:eb:80:fe:07:d9:9d:00:1c:15:37:93:d1:d3:8e:6d.

Are you sure you want to continue connecting (yes/no)? Yes

Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

Root@localhost's password:

Last login: Wed Apr 11 11:29:04 2007 from localhost.localdomain

V. detailed description of the sshd process and its related parameters

The sshd service is the daemon of OpenSSH. The utility program included with this service can replace rlogin and rsh to establish a secure encrypted connection between the hosts of the two sessions through an insecure Internet. Sshd listens for connection requests from the client and fork a child process when it receives the request; this child process will handle key exchange, encryption, authentication, command execution and data transmission, etc. Startup sshd can be configured using command-line options or a configuration file, but the options specified on the command line take precedence over the same options in the configuration file.

-4 forces sshd to receive only requests from addresses in IPv4 format

-6 force sshd to receive only requests from addresses in IPv6 format

-b specifies the number of length digits of the server key in ssh v1

-D this option is only used to monitor the startup status of sshd. When this option is attached, sshd will not start as a daemon.

-d this option starts debug mode; the startup status of the sshd service is displayed in the foreground and outputs detailed debug information to the log file; at this point, sshd does not fork new child processes, so only one connection request can be accepted. This first item is mainly used to debug sshd

-e outputs error information to the log file, excluding normal debugging information

-f this option is followed by the specified configuration file; default is / etc/ssh/sshd_config

-g this option is followed by a time period. The default unit is seconds, which is used to provide a waiting period for the client during authentication. If the client makes an authentication error within this specified period, sshd will disconnect and exit. 0 means no time limit.

-h this option is followed by a host key file that specifies a host key that is read when sshd starts.

File; this option must be specified when starting sshd as a non-root (because only root has read access to the default key file); the default key file for ssh v1 is / etc/ssh/ssh_host_key,sshd v2 and the default key file is / etc/ssh/ssh_host_rsa_key

And / etc/ssh/ssh_host_dsa_key; can specify different key files for different versions of protocols and different key algorithms

-I this option is used to specify that starting sshd;sshd through the inetd daemon requires the server key to be generated to accept requests from the client, which will take about 10 seconds. If the key is regenerated for each request, the client will have to wait a long time, so the default is not to use inet to start sshd. If a shorter length key is used, this option will be a flexible choice.

-k this option is followed by a time period to specify a time interval for ssh v1 to regenerate server key (default is one hour); keys are generated so frequently that there is no need to store keys, so it is almost impossible to recover encrypted data during communication more than an hour later, even if the machine is hacked or occupied, which will greatly improve security 0 indicates that the key will not be regenerated

-o is used to specify a new available option for the profile

-p specifies the port on which the sshd service listens (default is 22). Multiple ports can be specified at the same time. If this option is used, the port specified in the configuration file will be ignored.

-Q quiet mode, in which case no system logs will be generated; normally, service startup, authentication, and every terminal login will be recorded

-t test mode, which is only used to check the correctness of the configuration file and whether the key is robust; this option is mostly used when the configuration file is changed

VI. Detailed description of sshd-related documents

The code is as follows:

~ / .hushlogin

If the PrintLastLog and PrintMotd options are enabled in the configuration file, this file can be used to display the previous login time and the contents of / etc/motd on the screen. However, the banner specified by the Banner option is not displayed.

The code is as follows:

~ / .rhosts

This file is mainly used to achieve authentication between hosts. If some users on your host have home directories on the NFS file system, you must make this file globally readable because the sshd process will read the file as root. In addition, the owner of this file must be the relevant user, and no other user can have write permission. The generally recommended permission is 600.

The code is as follows:

~ / .ssh/authorized_keys

This file stores the user's public key, which can be used to authenticate it when logging in remotely. Public key information is not a highly secure file, but it is still recommended that its permission be set to 700. If this file, the ~ / .ssh directory, or this user's home directory can be read by other users, the file may be modified or replaced by other unauthorized users. In this case, sshd will not allow StrictModes to be used unless the value of sshd is set to "no" in the main configuration file.

The code is as follows:

~ / .ssh/environment

If this file exists, the user's environment will be read when the user logs in. It can only contain blank lines, comment lines starting with "#", and assignment lines such as "name=value". The recommended permission is 600. This feature is disabled by default and can be turned on through the PermitUserEnviroment option.

The code is as follows:

~ / .ssh/known_hosts

The host key of the host that the user has successfully logged in will be stored in this file, but excluding the host host key that has been successfully authenticated between the systems, only root and the owner can have read and write permissions.

The code is as follows:

~ / .ssh/rc

This file is used to initialize the user's login environment before the user's home directory cannot be accessed properly, and its permission should be 600.

The code is as follows:

/ etc/host.equiv

It is used for authentication between hosts and can only be written by root users.

The code is as follows:

/ etc/nologin

If this file exists, sshd will deny login to any user other than the root user. This file will be displayed when any user attempts to log in, but all non-root users will be rejected. This file should be globally readable.

The code is as follows:

/ etc/ssh/ssh_known_hosts

The host key of the known host at the time of system-level mutual authentication. This file needs to be manually configured by the administrator, and the public key of the known host can be stored in this file. This file can only be read and written by root or subordinate master, but should be globally readable.

The code is as follows:

/ etc/ssh/ssh_host_key

/ etc/ssh/ssh_host_dsa_key

/ etc/ssh/ssh_host_rsa_key

The above three files are used to store the private key of the host key. Their owners can only be root users, can only be read by root users, and cannot be accessed by any other user. If other users can read this file, sshd will not be able to start.

The code is as follows:

/ etc/ssh/ssh_host_key.pub

/ etc/ssh/ssh_host_dsa_key.pub

/ etc/ssh/ssh_host_rsa_key.pub

The above three files are used to hold the public key portion of the host key, which should be globally readable, but only writable by root users. They correspond to the corresponding private key files. These files have no practical use, but are only used to facilitate user authentication and login, so they are often copy to other trusted hosts. You can use ssh-keygen to generate these files.

The code is as follows:

/ etc/ssh/sshd_config

Main configuration file for sshd

Thank you for your reading, the above is the content of "how to configure OpenSSH", after the study of this article, I believe you have a deeper understanding of how to configure OpenSSH, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.